Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Not A Problem
-
0.94.4
-
None
-
None
Description
We are currently unable to use ACLs without having Kerberos setup. That is a pain for testing and environments that have other authentication methods that are not Kerberos-centric.
safety valve:
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
[root@cdh4-oozie-1 ~]# hbase shell
hbase(main):001:0> create 't1', 'cf1'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'null' (global, action=CREATE)
at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
[root@cdh4-oozie-1 ~]# su hbase
bash-4.1$ hbase shell
hbase(main):001:0> create 't1', 'cf1'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'null' (global, action=CREATE)
at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
It looks like we are relying on Kerberos to tell us who the user is, but since we are not using authentication, we are just passing NULL. We should be able to just rely on the local fs account.